In the Java crypto libraries, there are two different representations of a key - Key
and KeySpec
. The docs imply there's a difference between the two - a KeySpec
is 'transparent' (whatever that means), but has no methods, whereas Key
has got a getEncoded
method. You're meant to use a KeyFactory
to convert between the two (and it indeed has got a getKeySpec
method to convert).
However, SecretKeySpec
implements both Key
and KeySpec
! But there is a SecretKeyFactory
class as well, that doesn't inherit off KeyFactory
.
All this has left me thoroughly confused. What's the different between a Key
and a KeySpec
, and how does SecretKeySpec
and SecretKeyFactory
come into it?
Interface KeySpec A (transparent) specification of the key material that constitutes a cryptographic key. If the key is stored on a hardware device, its specification may contain information that helps identify the key on the device.
This class represents a factory for secret keys. Key factories are used to convert keys (opaque cryptographic keys of type java. security. Key ) into key specifications (transparent representations of the underlying key material in a suitable format), and vice versa.
Transparent here means that all classes/interfaces implementing/extending the KeySpec
interface are supposed to reveal metadata about the key, in a provider independent way. This metadata is never used actually in common uses of the key(encryption etc.), but only used if there is need to look into the mathematical attributes of the key. Knowledge of such provider independent data about the key can be useful for example if you want to generate the key from/to a byte stream, hook the key if it resides on an HSM, or even find out if a key is weak like:
DESKeySpec.isWeak(byte[] key, int offset)
Whatever metadata you want to expose about your key is upto you. KeySpec
just acts as a marker interface (marker interface design pattern).
As opposed to such possible introspection with the KeySpec
, the keys generated using SecretKeyFactory
are "opaque", in the sense that you cannot get full mathematical(modulus, exponent, encoding, etc.) and other(if provided like DESKeySpec
above) metadata about the key.
SecretKeySpec
on the other hand is JCE's out of the box solution for generating keys from byte streams, and hence it implements both Key
and KeySpec
- to generate the key using KeySpec
provided, and make the key available using Key.getEncoded()
.
Key objects and key specifications (KeySpecs) are two different representations of key data.
Ciphers use Key objects to initialize their encryption algorithms, but keys may need to be converted into a more portable format for transmission or storage.
A transparent representation of keys means that you can access each key material value individually, through one of the get methods defined in the corresponding specification class.
For example, DSAPrivateKeySpec defines getX, getP, getQ, and getG methods, to access the private key x, and the DSA algorithm parameters used to calculate the key(the prime p, the sub-prime q, and the base g).
If the key is stored on a hardware device, its specification may contain information that helps identify the key on the device.This representation is contrasted with an opaque representation, as defined by the Key interface, in which you have no direct access to the key material fields. In other words, an "opaque" representation gives you limited access to the key-just the three methods defined by the Key interface: getAlgorithm, getFormat, and getEncoded.
A key may be specified in an algorithm-specific way, or in an algorithm-independent encoding format (such as ASN.1).
For example, a DSA private key may be specified by its components x, p, q, and g (eg: DSAPrivateKeySpec), or it may be specified using its DER encoding (eg: PKCS8EncodedKeySpec).
The KeyFactory and SecretKeyFactory classes can be used to convert between opaque and transparent key representations that is, between Keys and KeySpecs.
Reference and more details available at: https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#KeySpecs
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With